How server authenticate client?

There are many ways by which a SSH server can authenticate a client. The most basic method is password authentication, but not a most secured method. Because even though the password is sent to the server in a secured fashion, it can be easily brute forced if it is not very complex.

What are SSH keys?

SSH keys are a pair of two cryptographically secure keys that are used to authenticate a client to a SSH server. Every key pair consists of a public key and a private key.

The private key is retained by the client and kept absolutely secret. If by any chance the private key is compromised then anyone can get access to the server using the private key without further authentication. To add extra security the private key can be encrypted on the client side using a passphrase.

The public key of the SSH key pair is upload to the server that the client wants to login. The public key is added to a special file inside the user account where the client wants to login. This special file is inside the .ssh directory and called authorized_keys.

How SSH key based authentication works?

When a client wants to access a remote server it initiates SSH connection. The remote server then sends some random message to the client. The client uses its private key to encrypt the random message and sends back the encrypted message to the server. The server then uses the public key of the SSH key pair that was uploaded by the client, to decrypt the encrypted message sent by the client. If the decrypted message is same as the message initially sent by the server then the client is authenticated and granted access. Otherwise the client is denied access to the remote server.

Now the interesting part of this tutorial.

How to create SSH keys?

Client side

Open the terminal and go to the user directory by using the cd command.

YUSUF-MacBook-Pro:~ yusufshakeel$ cd

Now move inside the .ssh directory.

YUSUF-MacBook-Pro:~ yusufshakeel$ cd .ssh

You can use the ls -la command to list the public-private keys inside the .ssh directory.

Now to create a new SSH key pair we use the ssh-keygen utility included with the standard OpenSSH.

You will be asked to enter the file name where you want to save the key.

If a file name already exists they you will be asked whether you want to overwrite the existing file. If you overwrite an existing key being used by some other application, then they will no longer be able to authenticate. So, choose this carefully.

Then you will be asked to enter a passphrase (this is optional). If you don't want to set a passphrase then simple press ENTER and continue.

What is the use of passphrase?

The private key is kept absolutely secret with the client and never exposed on the network. The passphrase is used to decrypt the private key on the client. So, it provides an extra security.

If you choose to set a passphrase then you will have to enter the passphrase everytime you use the key.

In this example I will be saving my ssh key by the name yusufshakeel_rsa and I will not set the passphrase.